Gentry Lane is the CEO and founder of ANOVA Intelligence, a national security software company, advisor and cyberpower theory expert.
Over the last 20 years, the cybersecurity market has steadily grown into a thriving global industrial complex. Thousands of companies, dozens of conferences and too many trade journals, blogs and podcasts to count have all been selling products and services to make the cyber domain secure.
So, why aren’t we more secure?
Both cybercrime and state-sponsored military cyber aggression are on a upward trajectory as the skill, sophistication and sheer number of bad actors continues to increase. Given private industry’s technological overmatch, shouldn’t the frequency and severity of cybersecurity events be trending downward instead of up?
The problem is one of fundamental misalignment. Cybersecurity provider business models are predicated on protracted cyber malfeasance. If there’s no aggression, if there’s no crime, then there’s no business. The cyber industrial complex doesn’t profit from deterring or denying cyber hostilities. They profit from a continued state of emergencies and uncertainty. As long as shareholders are happy with sales, this dynamic won’t change.
History shows us that for-profit security is a terrible idea. Until the mid-19th century in America, firefighting forces were owned and dispatched by insurance companies. This meant if your house or business wasn’t insured, no one was coming to put out your fire. And as cities grew and spread, so did the need to provide security at scale. Local fire departments were established and citizen-funded to assure equal protection for all.
Security at scale is most effective as a well-regulated public benefit. In the physical world, every aspect of daily life is overseen by agencies that provide the equitable security of people while traveling, working, driving, in business, making purchases and so on. However, in the cyber domain, there’s no central authority for the prevention and prosecution of unlawful or unsafe behavior. It’s every individual or every company for themselves, with no coordinated strategy to address the growing threat.
Less tangible but more concerning is the damage cyber aggression does to the companies that provide critical goods and services (e.g., emergency services, energy, water, banking, logistics and transportation). These companies are all subject to thousands of serious breach attempts every single day. As a result, American critical infrastructure is suffering a slow death by a thousand papercuts, the cybersecurity industrial complex is getting rich selling Band-Aids and cyber bad actors continue their assaults with impunity.
Given the increasingly complex cyberattack surface and upward trajectory of malicious behavior, we’re on track for more frequent and pervasive security events. What does that mean for you? If the cyber domain is a continuous conflict zone, then your finances, personal data and other digital assets (think photos, email and chats) are perpetually at risk. Rampant cyber aggression undermines the utility of a free, open, interoperable, global internet.
We simply can’t go on like this. As long as the counter response to persistent cyber aggression is a fragmented, triage-focused, poorly played game of whack-a-mole, bad actors will continue. A for-profit cyber defense system only perpetuates this dynamic. It’s time to reexamine current systems and demand security in cyberspace as a public benefit and basic human right.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here